Article Details
Scrape Timestamp (UTC): 2024-06-12 19:09:59.524
Original Article Text
Click to Toggle View
Google warns of actively exploited Pixel firmware zero-day. Google has released patches for 50 security vulnerabilities impacting its Pixel devices and warned that one of them had already been targeted in attacks as a zero-day. Tracked as CVE-2024-32896, this elevation of privilege (EoP) flaw in the Pixel firmware has been rated a high-severity security issue. "There are indications that CVE-2024-32896 may be under limited, targeted exploitation," the company warned this Tuesday. "All supported Google devices will receive an update to the 2024-06-05 patch level. We encourage all customers to accept these updates to their devices." Google tagged 44 other security bugs in this month's Pixel update bulletin, seven of which are privilege escalation vulnerabilities considered critical and impact various subcomponents. While Pixel devices also run Android, they receive separate security and bug fix updates from the standard monthly patches distributed to all Android OEMs because of their exclusive features and capabilities and the unique hardware platform directly controlled by Google. You can find more details on the June 2024 updates for the Pixel in the security bulletin dedicated to Google's own smartphone range. To apply the security update, Pixel users must go to Settings > Security & privacy > System & updates > Security update, tap Install, and restart the device to complete the update process. Earlier this month, Arm warned of a memory-related vulnerability (CVE-2024-4610) in Bifrost and Valhall GPU kernel drivers exploited in the wild. This use-after-free vulnerability (UAF) impacts all versions of Bifrost and Valhall drivers from r34p0 through r40p0, and it can be exploited in attacks that lead to information disclosure and arbitrary code execution. In April, Google fixed two other Pixel zero-days exploited by forensic firms to unlock phones without a PIN and access the data. CVE-2024-29745 was tagged as a high-severity information disclosure bug in the Pixel bootloader, while CVE-2024-29748 is a high-severity privilege escalation bug in the Pixel firmware.
Daily Brief Summary
Google has issued patches for 50 vulnerabilities in Pixel devices, including one actively exploited zero-day.
This zero-day, identified as CVE-2024-32896, comprises an elevation of privilege flaw with high-severity impact noted in Pixel firmware.
The exploitation of CVE-2024-32896 is reported to be limited and targeted, prompting an immediate patch to the 2024-06-05 level.
The June 2024 update also addresses other security concerns, including seven critical privilege escalation vulnerabilities in different Pixel subcomponents.
Unlike other Android devices, Pixels receive unique updates due to distinct features and Google's direct hardware control.
Pixel users must manually install the update through their device settings to protect against these vulnerabilities.
Additionally, a recent Arm's disclosure mentioned another unrelated but active exploit, CVE-2024-4610, affecting GPU kernel drivers.
In April, Google patched other Pixel-specific zero-days used by forensic firms to bypass security controls and access device data.